CMS is moving forward with its fraud prevention initiative to remove Social Security numbers from Medicare cards. New cards issued under the program will omit the Social Security numbers of Medicare beneficiaries and, instead, use a unique, randomly-assigned number called a Medicare Beneficiary Identifier (MBI). The new cards will be shipped by CMS beginning April 2018.

Transition

The MBI will be based upon the Health Insurance Claim Number (HICN) currently used on Medicare cards. The use of an MBI in place of a Social Security number is designed to reduce both identity theft and the illegal use of Medicare benefits. The MBI will allow providers to identify beneficiaries using secure access tools. To ensure a smooth transition, there will be a 21-month overlap period where either the MBI or the HICN will be effective for looking up a beneficiary. As part of the transition, beneficiaries will be instructed how to safely and securely destroy their existing Medicare and keep their MBI confidential. The new cards will have no impact on the benefits beneficiaries receive.

Identify theft

The new Medicare card initiative was brought upon by requirements contained in the Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) (P.L. 114-10). The initiative is important in light of the increase in the occurrence of identity theft. Between 2012 and 2014, identify thefts among individuals 65 and older increased from 2.1 million to 2.6 million. According to CMS, two-thirds of identity theft victims report a direct financial loss.

The Supreme Court’s decision to remand a Fair Credit Reporting Act (FCRA) case to the Ninth Circuit Court of Appeals may affect the future of class actions brought by victims of health care data breaches. The High Court told the Ninth Circuit to determine whether the respondent in Spokeo, Inc. v. Robins(May 16, 2016) sustained a concrete injury for purposes of proceeding with FCRA allegations based on Spokeo’s alleged dissemination of incorrect information about the respondent. The opinion emphasized the importance of the concreteness element of the injury-in-fact requirement of standing, and could endanger lawsuits filed by data breach victims based on impending injuries.

Spokeo

The respondent alleged that while he was “out of work” and “actively seeking employment,” Spokeo, a website that calls itself a “people search engine,” posted misinformation about him that was detrimental to his job search. Specifically, he claimed that the misinformation stating that he was married with children, employed, and in “very strong” economic health made him appear overqualified for work, desirous of a higher salary, and unwilling to travel or relocate. He alleged that Spokeo’s actions violated the FCRA, which requires consumer reporting agencies to “follow reasonable procedures to assure maximum possibly accuracy.”

A district court determined that the respondent did not have standing to sue, but the Ninth Circuit reversed, noting that Spokeo violated the respondent’s individual statutory rights and that his interests regarding how his credit information was handled were “individualized rather than collective.” Writing for the majority, Justice Alito noted that standing requires an injury in fact that is both “concrete and particularized,” in addition to being “actual or imminent.” While the Ninth Circuit’s analysis concluded that the respondent’s injury was particularized, affecting him “in a personal and individual way,” the Supreme Court determined that the appellate court did not perform a separate analysis to determine whether the injury was concrete, with Justice Alito noting that “not all inaccuracies cause harm or present any material risk of harm.” He also noted, however, that concrete injuries may be tangible or intangible. Justice Thomas concurred, while Justice Ginsburg, joined by Justice Sotomayor, dissented.

Health care ramifications

The Supreme Court’s view on concreteness could affect the ability of data breach victims to file class actions against the entities that held their protected health information (PHI). Prior cases have dealt with the “actual or imminent” aspects of alleged injuries, with circuits disagreeing with one another. In 2015, for example, the U. S. Court of Appeals for the Seventh Circuit determined that retail customers whose credit card information had been hacked were subject to a “certainly impending” risk or future injury involving fraudulent charges and identity theft, even though they had not actually fallen victim to those actions (see Credit hacking case opens door to health care class actions, August 11, 2015). It issued a similar decision in 2016 in Lewert v. P.F. Chang’s China Bistro, Inc. (April 14, 2016), another credit hacking case, noting that the injuries were concrete.

In Khan v. Children’s National Health System (May 18, 2016), decided after Spokeo, the U.S. District Court for the District of Maryland determined that the plaintiff had did not have an injury in fact. It noted that, in the context of data breaches, victims allege “an injury in fact arising from increased identity theft if they put forth facts that provide either (1) actual examples of the use of the fruits of the data breach for identity theft, even if involving other victims; or (2) a clear indication that the data breach was for the purpose of using the plaintiffs’ personal data to engage in identity fraud.” In Khan, phishing emails targeted a hospital system’s employees’ emails that happened to contain some PHI, but the court found no evidence that hackers targeted PHI for the purposes of committing identity fraud. The Khan court noted that the majority of district courts follow this line of reasoning. Stakeholders should follow the Spokeo case, as the ultimate decision may be an indication of the future trend of data breach class actions.